Randomblings from Rich

November 15, 2015

I currently manage about 20 people on a contract with a division of the Department of Justice. While not necessarily the perfect man for the job, I do fairly well and I still get to involve myself in technical decisions on a day to day basis. I get to preach from my pulpit about the way that things 'should be done' and complain about the lack of resources we have to do things properly. In all, I like my job. I've also applied for the job of Chief Information Security Officer [CISO] at the same agency, and have completed the interviews, awaiting a decision and negotiation to see whether or not they wish to have me join the federal work force, and whether I can accept the job for their offer. Let's assume, for the moment, that they give me the job.

What next? What comes of my career, my hopes and dreams and everything else when I've met my life's goals? To become an executive IT officer, to have a stable job, to be able to afford a reasonable middle-class lifestyle without amassing debt, to have opportunities to continue to learn about interesting things, to have a grown child of whom I'm proud. It seems that I have accomplished all of these things and the question is going to require some thought about the nature of life, lifestyles and goal-driven life.

Willy Wonka: But Charlie, don't forget what happened to the man who suddenly got everything he always wanted.

Um, great...but I'm not done...and I know I'm not going to live 'ever after'. I still have at least another 30 years to go on this Earth, 40 or more if I start taking care of myself a little bit better. Now that I'm approaching the pinnacles of Maslow's pyramid, I find myself wondering what my contribution will be to the world.

Well --- I have a few ideas.....

1. Information Security - The world needs an easier way. The more that Infosec has solidified itself as a discipline, the more I've noticed a struggle in the educational realm for thought above and beyond the mechanics of the field. There is need for thinking above and beyond the vulnerability of the day and the wow factor of discovering yet another amplification attack buried in the hidden recesses of a long-forgotten protocol. I have been thinking that what is needed is a visual model for applying information security to systems. It has to be simple enough for systems analysts to actually use and understand, but flexible enough to delve deep into the multiple layers and facets of system design. We need something formal, but something that can be taught in one semester.

2. Self-sufficiency - The world has undergone a creeping change since the Industrial Revolution. The change is pointing us away from mechanical life support and back to finding self-sufficient means, such as unplugging from 'the grid', growing our own food, taking care of ourselves instead of allowing the machined existence dictate our flavorless lives. I'm just getting started in this field, but I have always been fascinated by how you can plant a seed and from it grows fruit and vegetables within a matter of a month or two. Aquaponics is definitely something that I want to explore and may be able to eventually contribute to, and has the potential to ensure that we can continue to feed the human race even as our current farming methods become unsustainable. They're doing amazing things in Japan with indoor hydroponic farming. I'd like to replicate their successes on smaller scale and in a 'community' atmosphere.

3. Information Technology Education - IT is a large field and has many practice areas. We used to think of Computer Science as one simple thing, but the field has exploded. Of course, that means that the education that we provide to newcomers in the field is more spread out amongst the disciplines, and that we haven't had time to teach and focus on the importance of the basics. I would love to contribute to a solution to this, and to find the time to develop and market these solutions to train the neophytes. Making it interesting enough to keep their attention when the blinking lights and fun sounds of the web are grabbing their attention will likely be one of the greater challenges.

So, there's three things I've set for myself, and they're goals I couldn't have thought of spending time on until now. I hope that everything turns out well with this potential change in my life and that I have the opportunity to change the world.

November 13, 2015

My life is extremely busy. Not only do I find myself working a great deal, but I also have plenty of hobbies, some of which I have discussed on here.

I actually went for an interview today and when I mentioned how multi-faceted I was [thanks for the word, interviewer!], one of the interviewers asked if I had a blog. I sheepishly turned and said that indeed I did, but that I hadn't updated it in a while.

Part of the reason that I haven't is that I consider the work that I do day to day to be sensitive in nature. Not that it's hush-hush, but I certainly don't have my employer's permission to be posting the details of their network design or security implementations all over the web. Because work has been consuming the better part of my life since Feb 2014, there is very little posted since then. However, I have certainly had a lot of personal triumphs, changes, etc. I mostly share these with my friends on Facebook, though, and have really stopped writing opinion pieces for random strangers to stop by and read.

Perhaps I can change that. I haven't written in a while, and I'm kind of rusty. I'm going to try to pick up the personal pen and pick my pitiful brain to put it down on this page probably twice a month. In two days time I will pick a topic, draft an opinion or a rant and type it out for you to read, if you're still there. And I'll try to continue at that pace - twice a month, while sitting at the TV, instead of falling asleep. See you then.

February 16, 2014

If you're going to develop Android applications, and you've run into a problem with the Android Virtual Device Manager - as in, the emulator is just TOO DAMNED SLOW - I've got two tips for you I found elsewhere on the web:

0. If you're on Windows, even the program recommends setting the RAM to 768 - so do this first - I wasn't even able to get an AVD to run with more than that.

January 19, 2014

Art is a skill that has limited to no association with what I currently do for a living, but has been a quiet passion of mine for many, many years. Most people that know me have no realization that within me burns a passion for artistic expression, because I have learned to quell this from coming to the fore.

There were two teachers in my middle and high schools that heavily influenced my artistic development, and neither of them for the good. This is just a story that needs to be told, so I thought I'd share it here on my blog.

In sixth grade, I attended a single-grade annex school of I.S. 24 in New York. One of the classes we took was an art class that covered a large variety of materials and artistic methods. We did painting, mosaics using food-colored rice, paper mache', and drawing with watercolors and inks. One drawing firmly in my mind is a project that we were doing in class where we had copied some artwork from a book using pencils and tracing methods, but were tasked with coloring it with watercolors. We had to work at a table with other students, and I was stuck at a table where there was this one asshole kid who didn't give a shit about the class or the assignment. During the class, he decided it would be fun to take his wet brush with watercolors and flick it at other people's artwork, spraying it and destroying the painting. Of course, I had no choice but to tell the teacher he was destroying the artwork, and I would have expected that she would punish the little jerk-face and at least isolate me from him so that I could finish working on my piece. However, I was shocked and amazed when she came over and expressed to both of us that his 'flicks' made my piece look more INTERESTING. What the fuck!?! And then she turned off and went over to other tables!! No punishment, only encouragement for the asshole's behavior! Of course, the cackling little fucker took this to mean he could do whatever the hell he wanted. He and I began a battle of flicks that destroyed both works of art, but of course he could care less about his. And me, my spirit lay crushed, in the painting that I was proud of was now ruined by a little shit.

In ninth grade, I took a drafting class [mechanical drawing] at South Brunswick High School in New Jersey, led by an older black gentleman with a gruff demeanor and the scowl of Scrooge himself. I didn't mind his demeanor and thought of him as a talented and experienced drafter who had given up his career to begin teaching and mentoring new students into THE WAY. The class was glorious! I loved going to the class and developing highly precise drawings of objects in all three dimensions, using the T-Square and Triangles, precisely copying the fonts and measuring to ensure the diagrams were accurate blueprints. It was fantastic up until the part where we had to ink the drawings. Now, this was back in 1980/81, so inking drawings was done using ink-well pens. I don't know if you've ever had to use one of these stupid things, but essentially the first thing you're going to do is blot your work. Then, you're going to blot some more. The solution to this is to ink a drawing over a thin see-through film, rather than right on the original. If you blot, you start the inking process over. I learned for the most part how to control the pen, but it was a difficult task, and even toward the end of the class, I would occasionally blot my inking and have to restart it. I was still doing fine, and I certainly had the patience to restart when needed - it was part of the requirement, after all.

It all ended with the final exam. You see, the final exam counted for half of our grade, and it had an inking in it. That would have been fine except for two things:

There was a time limit of the one hour class, so restarting or redoing the work would not be possible.

Just as he handed out the final exam, he made the statement, "If you blot your final work, you will receive an F"

But, hey, no pressure, right?!?! SHIT, when I got to the final ink, I was nervous as hell. I got 90% of the way through the final inking before you can guess what happened. The ink in a freshly welled tip spilled over the final draft, ruining the fine and precise lines I had spent 50 minutes making.

I cried like a little girl. Yes, that's right, I cried, folks - I was ruined. I turned in what work I had finished (the pencil drawing), and sure enough - that [Edit: there was a REALLY bad word here. When I wrote this, I passionately considered it and decided to write it anyway. However, some people may find it very offensive, and they may end up judging me by that one word. I do not have a career as a writer. Were I Norman Mailer, I would have left it in. I am not, it comes out.] failed me just like he said. The emotional toil of failing a class that I absolutely LOVED and even had the majority of the skill-set for (apart from inking, apparently) was so devastating that I didn't touch a T-Square for 30 years.

I now own a drafting table. I bought it when I moved into this house and saw a mechanical table on Craigslist. Some guy had been using it as a mechanical lift in his garage and it was covered in grease and oils. I cleaned it up and put a new surface on it from a local art store. When I find time, I go downstairs and I draw using the drafting table for a surface. I even have a T and triangle. Of course, the actual art of mechanical drawing is now very computerized. I like to play with Blender every now and again, but find very little time for those pursuits among all of the other things that grab my interest and require my time, but if I ever had lots of free time on my hands, it would be one of the things I love to do.

November 23, 2013

I was at DefCon 21 and a guy was there with a homemade Bitcoin vending machine/suitcase. It had a coin slot in the side, and it cashed in your USD for some Bitcoin at the current MtGox exchange rate minus an (it turns out exorbitant) fee. No matter, I was only curious to the tune of 5 quarters and I received a piece of paper with both the public and private key for a wallet that had been sent the .00810374 Bitcoins. This week, I loaded up the key and peeked into what my piece of a Bitcoin was worth. $5.70! That's right, I had made 570% on my $1 investment in just two short months. That piece of paper got smoothed out, touched up (it had begun to smear) and put somewhere a little bit safer.

Some of you reading this posting may not know what a Bitcoin is. It's an alternate currency - an experiment in basing value of currency off of a share of work toward solving cryptographic algorithms. Is it nerdy - yes, on the face of it, it's very nerdy and at the same time, interesting. You see, Bitcoins are not created by a government, their value is set entirely through free market, and it is possible to trade Bitcoins anonymously. A Bitcoin is an experiment in the ultimate barter system, out of reach of 'the man' - and the only value is dependent upon what someone else will decide to give you for it.

The ability to create a Bitcoin 'wallet' anonymously and exchange coins between wallets without involving third parties in performing the actual transactions.

This takes some care, since all transactions are essentially traceable through the blockchain from creation to current wallet. It is important that one does not just register with a website, buy some coin and then promptly spend those on something that will get you into trouble. To be truly anonymous, one needs to put some space between your name and the spending of the bitcoin. Logically, sending the bitcoin to a vendor of some sort that handles a large number of clientele, without care for their identity, that will be willing to send the bitcoins back to a new address will be enough to break the link. But I am not a lawyer, a policeman or an expert in money laundering.....

The free market value of the bitcoin is linked to important economic indicators - such as how expensive it is to create/mine a bitcoin, how many vendors will actually take a bitcoin in payment and how liquid a bitcoin is (until EVERYONE will take bitcoin, you'll still need to be able to cash it out in your native currency). A list of bitcoin vendors comes in handy and is growing quickly. I was frankly amazed at the number of physical product vendors that are on the list - and now a University in Cyprus will let you pay tuition in bitcoin.

There are numerous ways to store your bitcoin - with an online wallet service or exchange like coinbase or blockchain.info. Probably the most famous exchange is Mt.Gox although they've had some problems in the past like the DHS freezing their funds at Dwolla. If you run the Bitcoin client (effectively becoming part of the bitcoin network), you can create a wallet on your own and will only need to get someone to send bitcoins to the created wallet address. You can also back up your wallets to paper copies of the public and private key associated with it. This is normally done via QR code to make them easier to input.

Since bitcoin spending can't be controlled by anyone - spending them on things that would normally be against a government's desire is a very simple process. (although still traceable if not done properly to protect your anonymity!!) This means there are a lot of casinos popping up online that take bitcoins. Of course, I can't leave out the fact that some markets exist for the drug trade and that the creator of said marketplace is alleged to have arranged at least one hitman on that marketplace.

Of the many bitcoin sites I've seen today when poking around, most remind me of the early days of the web. Horribly designed sights aimed at enticing the user with garish images and offers of FREE BTC!! If you've got a bitcoin wallet and would like some free bitcoin (less than a pennies worth on average) to start you off, go ahead and click there and give it your wallet address.

October 20, 2013

I went to my first DC-area security con, B-Sides DC, held yesterday and today, after attending Blackhat and Defcon earlier this year. There's definitely a difference, going to a conference where you go home at night vs. one where you stay at the conference hotel and focus entirely on the con. For one thing, you can't really give 100% of your attention to the conference contests and socializing. At the end of the day, you still have to commute back home, spend time with the family and deal with your normal responsibilities. So, right off, attending Defcon was the better experience solely for this reason. On the other hand, B-Sides DC was $10 for two days of learning, and my travel costs were $12 for parking and $6-$9 for gas. Defcon still wins, because, hey - Vegas - but other than that, this was well worth my weekend.

After attending Defcon, I was asked to give some talks on what I've learned out in Vegas and I had prepared a slide deck that had several advantages. One, I got to spread the knowledge to other people. The talks I gave went from the very broad to the very technical in sharing the Blackhat/Defcon experience, and giving the talks helped to cement some of the knowledge from the whirlwind that is the con experience. So I figured I should do a brain dump of sorts of my experience at B-Sides to cement some of the stuff I learned there, and organize some of the notes I've taken, links I picked up and Twitter accounts to add. These notes are going to be rambling, and have referential information throughout that I needed to capture. I'm only making a mild effort to make complete thoughts and sentences for the reader, and may not have even come to an assessment of what was important about each talk for me to take note of.

I have in my notes that Bruce is an author - I remember him discussing that the first book he authored was with O'Reilly - I recall that SOMEONE (not necessarily Bruce) at B-Sides said that the entry point into signing up to write a book on technical subjects seemed to have a fairly low barrier and that writing a book on a subject you barely knew was not only possible, but something he had done. Now that I think on it, I believe that was @grecs instead of Bruce (whomever it was, they had written a book on 802.11 and learned the subject while writing the book).

Bruce's talk was about education, skills, the difference that IT Security is from hard sciences, refocusing of the collective to the end goals of IT Security, and in the end, getting back to the roots of InfoSec by fucking shit up. He had a lot of personal stories, but I think they were mainly to demonstrate that the path to becoming an InfoSec ninja is not a cookie-cutter career path. In my notes I have written 'R U A WIZRD'? which refers to the Rock Star Syndrome he was discussing (not by name) of our over-inflated egos of thinking we're better than we really are just because we have the special skill of understanding how the magic smoke works. He went on to rail against Certifications not necessarily being the answer to the irrelevant and outdated curriculum of university degrees in the fast paced industry of InfoSec.

Bruce also brought a three-year old to B-Sides (and told him he was about to learn some new words) - although I'm pretty sure he was being himself, and the kid had probably heard those words before (forgive me Bruce if I'm wrong). The talk was very humanizing and I think it really led to the audience being able to identify with the college-dropout, successful level 42 Wizard, author, industry leader.

In the end, though, Bruce had a point - he wanted us to try to figure out how to fix the education problem (where Youtube videos are better InfoSec teachers than instructurs), how to fix the qualifications problem (where who-you-know frequently passes for what-you-know and security certs are still testing whether you know outdated security models from the 1970s) and get to the business of ACTUALLY FIXING THE CUSTOMER'S PROBLEM - which is broken security. And he had another point - Bruce asked for people to get back to the roots of InfoSec and maybe stop being so damned gentlemanly. The bad guys aren't playing nice, and I think that he's a bit upset that everyone is being so damned nice to each other and respecting each other's boundaries at cons and other hacker battlegrounds. Probably because it's dulling our senses and our abilities as a group.

B-Sides has two talk tracks (and one education track) - and it was this talk or a talk on why your corporate password policy is weak. Since I'm already a soap-box candidate for preaching about password policies as a failed solution and I didn't want to learn what SANS 20 Security Controls were, I sat in on Michele's talk about why we'll fail the BYOD battle. Of course, I was expecting a technical talk, not a psychology talk - which is what she ended up giving. She explained the drug-like addiction properties of social media and the devices that we use, and encouraged empathy and embracing the user's wishes when it comes to BYOD [Sorry: that's Bring Your Own Device (to work) for the uninitiated]. She spoke about how Security [industry and policy] is seen as just a roadblock to users getting what they want.

My notes have three takeaways: 'Stoptional' - the optional stopping of a vehicle at a stop sign, presumably in Louisiana - a cute term someone behind me and to my right explained when comparing corporate security policy and the likelihood that your users will obey it to STOP signs and road laws. Empathy/working together - which summed up MrsYisWhy's point she wanted us to consider - key slide being 'Don't say No - say Yes, and....' (I personally prefer Yes, but... but I can see how that might make me out to be the bad guy) and www.healthyparanoia.net which appears to take me to the Packet Pushers Podcast page - a podcast I had previously been unaware of.

She then handed out T-Shirts to some random trivia questions and was upset that no one remembered that Solaris 2.6 marked the beginning of their shift to a 64-bit OS. Her personality overall, by the way, seems to match very readily to the picture she's chosen as an avatar on Twitter - a bit on the spiritual/kooky side.

@grecs' talk was full of useful information and links on Malware Analysis - a weak point for me since I haven't done much of it. Not only did I take notes, but I actually used my phone to take some [screen]shots of his talk on the projection screen that I need to transcribe later.

I think @grecs is a recovering stutterer, or is developing one - but he pushed through it fairly well and only had a few seconds of touch and go fighting it off during his speech. Talking in public is HARD, HARD, HARD for anyone - I can't imagine how much more difficult it must be when your brain just decides to lock up on you like that - not only do you feel some embarrassment, but that just adds to the problem and it can go into a death spiral...so good job pushing that stick forward and pulling out of the death spiral!

Grecs is actually a Twitter account I already follow, and I like some of the articles that recur on NOVA Infosec, his website. It appears the Malware Analysis BSides DC slide deck has already been posted there from his talk (Thanks, Dude!!!!) Also, I should thank his sponsors @BulbSecurity and @PenTestTraining for bringing him to B-Sides DC and supporting his work. It is people like @grecs who help the security industry's world go 'round and it can be hard to get paid to do work that benefits a community.

Ok - for this talk I have THREE written pages of notes that are mostly a list of tools for the various aspects of setting up a Malware Analysis Lab, the step-by-step processes and alignment of the tools to those processes and relevant training websites. Once he got going - this talk was probably the most STRUCTURED and INFORMATION DENSE talk of the conference. The slides are up on SlideShare - use the link above on his website to essentially see what I've put down in my notes. Knowing they're there - I'm not going to attempt to replicate the information here.

----Tired for now - will take a break and resume discussions of other talks later on ---------

September 28, 2013

I'm just finishing up my last (second) day of BlackHat briefings. I was lucky enough to be able to be sent to attend BlackHat this year by my company (Dynamics Research Corp). A few tips for attendees - water, deodorant, more water, and black T-shirts. The uniform of the day for conference attendees seems to be the ubiquitous black T-shirt with some form of hacking slogan on it. I'd say it's at least 50% if not more.

You'll need to drink plenty of water to stay hydrated. So far, I think I'm winning this battle, but as soon as you step outside in the Vegas heat, your mouth dries up within seconds, and you can feel the water get wicked up your esophagus only to be lost to the desert. While you won't spend much time outside, the dryness persists in the air-conditioned casinos, and while it's a slower process, it continues unabated the whole time you're here.

Also, don't forget to eat. I think I ate dinner at 11:45PM last night. There is so much going on, and it's so interesting that skipping a meal as you focus on something else is an easy thing to do.

With all that said, Oh My God! - I need to come to this every year, whether the company is picking up the tab or not. I may not be able to afford BlackHat, but I can probably pick up BSides-LV and Defcon myself. The people here are smart as hell - everyone is extremely congenial and open and the whole experience so far has been phenomenal. It's going to take me all year just to DIGEST the amount of information I've picked up here - and my head is SWIMMING with new ideas spurred by some of this research. I'm thinking in new ways about timing attacks, secondary communication channels, encryption, browser security, organizational defenses.....it's incredible!

Note: This post sat in draft mode because I never got back to finish writing it - Defcon was so engaging I forgot about it entirely.

July 16, 2013

Cryptography offers us many things - not just the ability to lock up secrets that can only be decoded if we know some secret password. Using the processes of hashing, encoding and decoding, we've been brought capabilities such as digital signatures, network secrecy and non-shared key authentication. I was thinking about one particular capability offered by our cryptography geniuses - the use of hashing algorithms to derive secret keys over a given number of cycles without an easy way to determine the solution without actually performing the calculations over that number of cycles. Wow - that sounds like it's going to get complicated...Let's back up and take a look at just what a key derivation function is.

In essence, what these protocols do is come up with a determinate sequence of pseudo-random numbers by performing a set of specific calculations over and over (you set the number of repetitions). By feeding the function a pass-phase, it will blend that pass-phrase into a messy sequence of numbers that supposedly can not be reverse-engineered through any other means other than using the same blending process with the exact same pass-phrase over the same number of cycles. There's different versions of this, bcrypt, PBKDF2 and scrypt, with scrypt being the more modern of the three - designed to not only take repetition into account, but also arbitrary memory usage, which helps you to keep function costs higher by requiring additional hardware costs for parallel attacks.

What struck me today is that this function can essentially be used as a time-lock. To the analogies!!! You walk into a bank and go to hold up the teller - you might get out of the bank with $1,000 - $2,000...hardly worth the risk. Why don't you rob the safe in the back that holds all of the money? Because it has a time-lock on it. It can probably only be unlocked by the bank manager after putting in the combination and waiting for an hour for the safe to open. If you're robbing a bank, your time frame is a lot shorter than an hour. It raises the risk of being caught and the bank knows this - which is why they use time locks. The longer it takes you, the heavier the risk side of your risk/reward see-saw.

What if people implemented time-locks for high-risk transactions in the automation of business transactions. The risk of a transaction could be a measurement of how long transactions would need to take. Time locks would be implemented in such a way that the verification of the transactions would utilize key derivation functions to complete, with half of the compute time being taken by the sender, and half the compute time being taken by the receiver.

Scenario:

Transferring $10 to your wife's account? No problem, sir, take but a second..

Oh, you want to transfer $200,000 to a random account number in the Grand Cayman Islands? Yes, sir - we can do that for you - the transaction will begin now, and the transfer will complete in 12 hours. No, sir, the receiving party will not credit the amount until both sides reach the agreed upon key for the transaction. The transaction will show as 'pending' until it completes or is aborted.

As computing time/resources get cheaper, validation time can be kept in line with the risk, requiring specific amounts of resources (cycles, processes, memory) to perform the transaction. Resource costs would have to be passed on to customers as part of transfer fees - time increases would be enforceable at the interface level, since communication of the transaction verification could not be done without the derived key, enforced by a protocol standard.

Now for the devil's advocacy - This would have a negative impact on customers performing high-risk transactions. It would probably never make it past lobbying organizations, and people who regularly pass around large sums of money would find some other way of performing wire transfers to get around the limitations. Also, time-locks could be implemented without even using these processes if banks REALLY cared about the risks of risky automated transactions, through simple business rules and agreed upon timelines and risk limits. So- just another random rambling....

July 08, 2013

Agile Development doesn't mean excluding the need for documentation – however, processes and tools can be used to create documentation FROM the process of development. Rather than putting the cart before the horse to lead him, you allow the horse to pull the cart, and, when you GET there, look back and follow the cart tracks to inform and document the path you've taken (upon which you can decide to pave a road, perhaps). This is why Agile CAN BE an effective software development practice - because you don’t have to pay for someone to pull the cart ALL THE WAY from Start to Finish and pull the kicking and screaming horse behind…you instead get smart drivers on the cart to lead the horse only to the next step toward the destination and a horse who is smart enough to walk around the trees.

July 06, 2013

Yet another unfinished thought on auditing and system design - I cleaned up a little, but again - publishing from draft:

When it comes to performing information security, it's easy to get lost in technical solutions and overtly technical discussions regarding what you need to lock down your business. With the complexities of password policy, application and network design, encryption algorithms, VPNs and firewalls all spinning around in your head, there is something very easy to understand that is at the core of providing risk awareness.

Auditing, not just logging of security events, either - but I mean good old fashioned auditing of your books and business transactions. Keeping an eye on what's going on in your business may help you to identify when there's someone with their hand in the cookie jar - and it won't make any difference they got in to your network when you catch them in the act of siphoning off your accounts.

Supervisory function: I can't imagine that a bank teller would be permitted to leave the premises at the end of his or her shift if their drawer was short of cash. Managers count them up and monitor whether or not their transactions line up and everything checks out. In so doing, anything out of the ordinary would be reviewed and questioned. The bank manager performs the supervisory function and is aware of the business rules that are applied to ensure proper operation of the business. Even with automated teller machines in banks, this supervisory function is not forgotten - review of transactions and matching them up to the cash in the machine during cash outs help the banks ensure that everything is performing at least to some modest business constraints.

Constraints and Limitations: In the same instance, tellers are not given access to the entire bank balance. Those who rob banks will likely tell you that robbing a teller these days is hardly worth the risk since the take will be very low. It's probably more rewarding to hold up a cash business like a fast food restaurant, where the controls are not as involved and there's more chance of obtaining large cash drawer balances. Even ATMs, which are entrusted with large cash drawers (since they're not likely to turn over their cash to a gunman), still have a limit to their losses based on how much they're loaded with. When we design computer systems that access things like bank balances and accounts, we need to be reminded that business rules that impart these constraints and limits on transactions still need to be in place. Even more so, hair triggers on constraints should lock down transactions from a source (such as a web front-end) that shows signs of being erratic.